CVE-2026-1239

WordPress · Ninja Forms

The Ninja Forms plugin for WordPress is vulnerable to unauthorized data access due to a missing authorization check on the 'ninja-forms-views/token/refresh' REST API endpoint.

Executive summary

A missing authorization check in the Ninja Forms plugin allows unauthenticated attackers to potentially access sensitive data via the REST API.

Vulnerability

This vulnerability stems from a missing capability check on the ninja-forms-views/token/refresh REST callback. An unauthenticated attacker can invoke this function to potentially retrieve sensitive tokens or data managed by the plugin.

Business impact

Successful exploitation of this vulnerability could lead to unauthorized access to sensitive user or form data, violating data privacy regulations. With a CVSS score of 7.5, this high-severity flaw represents a significant risk to the integrity and confidentiality of the WordPress environment.

Remediation

Immediate Action: Update the Ninja Forms plugin to the latest available version provided by the vendor to ensure the authorization check is properly implemented.

Proactive Monitoring: Review REST API access logs for unusual requests directed at the ninja-forms-views endpoint.

Compensating Controls: Implement a Web Application Firewall (WAF) rule to block unauthorized access attempts to the vulnerable REST API path until an update can be applied.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Given the ease of interacting with REST API endpoints, this vulnerability poses a clear risk of unauthorized data exposure. Organizations should prioritize patching this plugin immediately and audit their WordPress environment for any suspicious API activity.